pptx

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local PowerPoint editing skill, but users should work on copies because some workflows intentionally rewrite or clear presentation content.

Install only if you want an agent to read, unpack, render, and write local PowerPoint files. Use copies of important decks, review replacement JSON before bulk replacement, avoid running it on untrusted Office files or HTML, and be aware that optional dependencies may require local package installs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: This file implements Word (`.docx`) redlining validation, but the skill is declared for PowerPoint (`.pptx`) presentation tasks. Capability drift and scope mismatch are risky because they expand the trusted code surface beyond the advertised function, making review, sandboxing, and least-privilege controls less effective.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Invoking the external `git` executable gives the skill process-spawning capability that is not justified by a presentation-editing context. Even though the arguments are fixed here, external tool execution increases attack surface through PATH hijacking, unexpected binary behavior, environment manipulation, and weaker sandbox assumptions.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger text includes an expansive catch-all such as 'any other presentation tasks,' which can cause the skill to activate for loosely related requests. Over-broad invocation increases exposure to risky file and shell operations when a simpler, safer workflow might have sufficed.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The instructions state that all text shapes will be cleared automatically unless replacement paragraphs are supplied, but they do not require a prominent user warning or confirmation before this destructive step. In an editing skill, this creates a substantial risk of accidental data loss or silent content removal across a presentation.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The script calls ZipFile.extractall() on a user-supplied Office file without validating archive member paths. A crafted ZIP/OOXML archive can exploit path traversal ('zip slip') to write files outside the intended output directory, potentially overwriting arbitrary files accessible to the process. In this skill context, handling untrusted .pptx-like inputs makes this more dangerous because presentations are a plausible attacker-controlled input.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script unconditionally clears every inventoried text frame before checking whether a replacement exists, so running it with incomplete or mistaken JSON can silently erase presentation content. In this skill context, the tool is specifically designed to modify .pptx files, which makes destructive behavior more plausible and increases the risk of accidental data loss or sabotage if an agent or user supplies bad input.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal